Every month we review the WordPress plugin vulnerability disclosures from Patchstack and WPScan and summarize the ones that matter most: high install counts, exploitable without privileges, or actively weaponized in the wild. February 2026 brought three worth immediate attention.
February 2026 at a Glance
| CVE | Plugin | CVSS | Type | Auth Required | Status |
|---|---|---|---|---|---|
| CVE-2026-1357 | WPvivid Backup & Migration | 9.8 Critical | Arbitrary File Upload / RCE | None | Patched — update to 0.9.124 |
| CVE-2026-1356 | Converter for Media | High | Server-Side Request Forgery | None | Patched — update to 6.5.2 |
| CVE-2026-2268 | Ninja Forms | High | Sensitive Data Exposure | None | Patched — update to 3.14.1 |
All three vulnerabilities have patches available. The WPvivid flaw is the highest priority — 900,000 installed sites and a full remote code execution path with no authentication required.
CVE-2026-1357 — WPvivid Backup & Migration (CVSS 9.8 Critical)
Affected versions: All versions up to and including 0.9.123
Fixed in: 0.9.124 (released January 28, 2026)
Publicly disclosed: February 12, 2026
Auth required to exploit: None — fully unauthenticated (with one condition, below)
Install count: 900,000+ active installations
WPvivid is a widely used plugin for WordPress site backups, migrations, and staging. CVE-2026-1357 is a remote code execution vulnerability that combines two weaknesses in the plugin's remote backup reception feature — the functionality that allows one WordPress site to receive a backup from another.
The vulnerability chain works as follows:
- Faulty RSA decryption handling: When the plugin's RSA decryption function fails, it passes the failed result (null bytes) to the AES decryption routine rather than aborting. The AES routine treats null bytes as a valid key, creating a predictable encryption key that an attacker can compute.
- Unsanitized filenames: The plugin accepts filenames for uploaded backup archives without sanitization. This allows directory traversal paths to be embedded in the filename, enabling an attacker to write files to arbitrary locations on the server — including locations outside the WordPress directory.
Combined, these weaknesses allow an unauthenticated remote attacker to upload a PHP file to an attacker-controlled location on the server and execute arbitrary code — achieving full server-level access.
Important scope note: This vulnerability affects sites that have the "receive backup from another site" option enabled. This option is not enabled by default; it requires deliberate configuration. However, many site owners enable it during migrations and may not have turned it off afterward.
Check whether this feature is enabled in WPvivid's settings under the "Remote Backup" or "Migration" tab. If you are not actively using the receive-backup feature, disable it after updating. If you were running an affected version with the feature enabled, treat the site as potentially compromised and audit recently modified files.
CVE-2026-1356 — Converter for Media (High Severity)
Affected versions: All versions up to and including 6.5.1
Fixed in: 6.5.2
Auth required to exploit: None — unauthenticated
Install count: 500,000+ active installations
Converter for Media (formerly Enable Media Replace) is a plugin that converts images to WebP and AVIF formats and handles media file replacement in the WordPress media library. It is active on over 500,000 sites.
CVE-2026-1356 is a Server-Side Request Forgery (SSRF) vulnerability. SSRF allows an attacker to cause the server to make HTTP requests to internal or external resources — resources that the attacker could not access directly. In WordPress hosting environments, this commonly includes internal APIs, cloud metadata endpoints (such as the AWS instance metadata service at 169.254.169.254), or internal network services.
The practical impact of SSRF varies by hosting environment. On shared hosting it is typically limited; on cloud-hosted instances or VPS environments with access to cloud metadata or internal APIs, the exposure can be significantly more serious — including the potential to retrieve credentials from cloud metadata endpoints. Update to 6.5.2 regardless of hosting type.
CVE-2026-2268 — Ninja Forms (High Severity)
Affected versions: All versions up to and including 3.14.0
Fixed in: 3.14.1
Auth required to exploit: None — unauthenticated
Install count: 600,000+ active installations
Ninja Forms is one of the most widely installed form builder plugins for WordPress. CVE-2026-2268 is a sensitive data exposure vulnerability in the base plugin — distinct from the file upload extension covered in a later roundup.
The flaw allows an unauthenticated attacker to access form submission data stored by the plugin. Depending on how a site's forms are configured, this data can include names, email addresses, phone numbers, and any other fields site visitors have submitted. For sites collecting contact inquiries or lead generation data, the exposure includes all stored submissions.
Update to 3.14.1. After updating, review who has access to your stored form submissions in the Ninja Forms admin panel and consider whether any data retention policy applies to submissions stored by the plugin — particularly if your site operates under GDPR or CCPA obligations.
What to Do
- Check your plugin list. Go to Plugins → Installed Plugins in your WordPress admin. Look for WPvivid Backup & Migration, Converter for Media, and Ninja Forms.
- Update immediately. Go to Dashboard → Updates and apply available updates. For WPvivid, confirm the version reads 0.9.124 or later after updating.
- Disable WPvivid's remote receive feature if you are not actively using it. In WPvivid settings, look for the remote backup or migration receiver toggle and turn it off.
- For WPvivid sites with the receive feature previously enabled: audit recently modified files using your hosting file manager or cPanel's File Manager, and look for any PHP files created in unexpected locations.
Looking Ahead
The WPvivid flaw is a reminder that migration and backup plugins carry elevated risk relative to other plugin categories — they handle file I/O with elevated permissions and often interact with the filesystem in ways that normal plugins do not. Sites that use backup plugins should be on the highest-priority list for plugin update monitoring.
We will publish the March 2026 roundup at the end of next month. In the meantime, the Patchstack database is updated daily and is free to search.
Related reading: How to Check if Your WordPress Plugins Have Security Vulnerabilities • Managed WordPress Hosting Plans • WordPress Development Services